1. Technical Field
The embodiments herein generally relate to data security and particularly relates to preventing unauthorized access to electronic data stored or transmitted across computer networks. The embodiments herein more particularly relates to an automated approach to manage cryptographic keys for securing electronic data.
2. Description of the Related Art
Cryptography is the practice and study of techniques for secure data communication among the communication networks. Generally, cryptography includes two category of techniques, namely, shared key cryptography (symmetric key) and public key cryptography (asymmetric key) to help protect the sensitive data sent across a network.
One of the most important and vexing issues in cryptography is the problem of selecting and distributing the encryption key amongst the participants. The conventional approach of cryptography uses a shared secret key, such that the same key is used to encrypt and decrypt data. However, it is a difficult task to choose the key and communicate it to the participants. If the key is chosen by the sender and sent along with the message to the recipient, there is a chance that the data is uncovered and the encryption scheme is broken. Generally, it is advisable to send the key separately and over a different channel of communication to reduce the chances of key loss. The requirement of a different channel presents a difficult obstacle which increases the time and expense of using symmetric systems. An additional problem with conventional symmetric cryptography is that if the same key is used in many messages then in the event of key loss or divulgence the security of all past messages available to an adversary is lost and also any future communication using the same key is also affected.
One response to this problem is the use of different shared keys for each communication to address the key loss problem. However the key distribution problem still remains unaddressed. The sender and the receiver must first establish a pad of one-time keys, such that each has the pad and can use corresponding keys in the sequence for consecutive messages. This method is however expensive as the keys are quickly exhausted and every pair of participants should have their own mutual one-time keypads. If a keypad is lost or stolen, then again the data/messages are potentially at risk.
The key distribution problem is substantially resolved by the public key cryptography by generating a private key-public key pair for key distribution. The messages are encrypted using a public key of the recipient and subsequently decrypted using the corresponding a private key of the recipient. The public key of any participant can be freely distributed to anyone who would like to send encrypted messages to that person. In this strategy, it is the private key that must be protected, and since it is retained locally and used only to decrypt messages it remains relatively secure. There is no need to transmit the private key. The two keys associated with a public key implementation are mathematically related but it is computationally infeasible to determine the private key from its corresponding public key. This is due to the perceived intractability of factoring large integers into their prime factors. If this premise proves unfounded then the public key approach will become vulnerable to adversaries. Also the encryption and decryption processes using public key crypto systems are generally much slower than typical symmetric key systems.
Among the existing public key cryptographic solutions, PGP (Pretty Good Privacy) is the widely used solution to protect sensitive data sent across a network. It is primarily a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, e-mails, files, directories and whole disk partitions to increase the security of e-mail communications. PGP works by compressing plain text data and then creating a session key which is a random number. This random number is then run through the cryptography software to create the session key, which forms a public/private key for the sender. When the plain text is encrypted, the public key is encrypted to the recipient's private key. When the recipient receives the cipher text, he uses his private key to decrypt the data.
However, PGP is considered to be a complex process, as for PGP encryption to work both the sender and the recipient should be using PGP. If the sender emails a file to a recipient who is not using the PGP, the recipient will not be able to open the file. Also managing keys is a challenging task for users new to PGP. Further, keys that are lost or corrupted cause a security risk to users in a highly secure environment.
Across all industries the requirements for managing cryptographic keys are becoming ever-more complex. Ensuring the right key is in the right place, at the right time is mandated by many organizations. This is a complicated requirement as most businesses need to manage an ever-increasing number of keys while reducing the risk of internal and external fraud, as well as keeping the costs at a minimum.
One solution to manage keys is the intervention of key distribution centers (KDC) or a key manager. The major problem of any key manager is the security infrastructure that has to exist to avoid compromising the key. Enterprises usually invest a lot to secure their computing infrastructure from intruders/infiltrators. But hardly any investment is done to prevent internal authorized users accessing the information to leak that information out. For example when the keys are stored in a database a lot of consideration is used to prevent/limit access to this database by any user. But usually there will be one or more DBAs who have a completely un-restricted access to the database (for maintenance, backup, tuning, etc.) and they can easily retrieve all the keys in one go.
Hence, there is a need for a method and system to secure electronic data. There is also a need for a method and system to automatically manage cryptographic keys. Further there is also a need for a method and system for automatically managing cryptographic keys without intervention of any key distribution centers or key managers.
The abovementioned shortcomings, disadvantages and problems are addressed herein and which will be understood by reading and studying the following specification.